7 Replies Latest reply on Apr 26, 2007 11:59 PM by kwstasm

JBoss authentication cache problem

kwstasm Apr 25, 2007 11:29 AM

Hi

I am a newbie in Web application security and I am having a problem that tortures me for many days.
I have created a custom server login module to provide security to my web application. In order to do that I have extended the AbstractServerLoginModule class.

The problem I am facing is the following:
When I first open an IE window my custom module's login method gets called, and I login fine.

When I open a second IE window though, and try to login, the login method of the module does not get called.
As far as I read from wiki's-books-forums, jboss caches the principal and the credentials. That is probably the reason why the login method.
I might be wrong but I think the default cache policy of jboss is one with a timeout.
I have tried many ways to try to override this behaviour so whenever I open a new window the login method gets called and the user is authenticated from scratch. Among them is trying to programmatically flush the credential cache, set the flushOnSessionInvalidation attribute to true in the jboss-web.xml and more.
I don't want to set the DefaultCacheTimeout to 0 in the security-service.xml file and force the login to happen constantly.
What I just want to do is, whenever a user opens a new browser window or tries to remote from a remote machine the login authentication is forced and not surpassed with the cached credentials.

I would appreciate any help on that.
Thanks in advancce.

1. Re: JBoss authentication cache problem

kwstasm Apr 25, 2007 11:31 AM (in response to kwstasm)

"kwstasm" wrote:
Hi

... to remote from a remote machine ...

this should be login from a remote machine
Actions
2. Re: JBoss authentication cache problem

jaikiran Apr 25, 2007 12:28 PM (in response to kwstasm)

Looks like cookies are enabled in your browser. Try disabling cookies and see if it works.
Actions
3. Re: JBoss authentication cache problem

jaikiran Apr 25, 2007 12:30 PM (in response to kwstasm)

Also try clearing out the browser cache of your second browser instance, before accessing the application
Actions
4. Re: JBoss authentication cache problem

kwstasm Apr 26, 2007 5:06 AM (in response to kwstasm)

No luck.
The same happens even if the second instance is a Firefox instance.
Actions
5. Re: JBoss authentication cache problem

jaikiran Apr 26, 2007 9:48 AM (in response to kwstasm)

Can you get the jboss security package TRACE logs. That might give a hint. Have a look at Q4 at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ to obtain the logs
Actions
6. Re: JBoss authentication cache problem

sim-smith Apr 26, 2007 6:02 PM (in response to kwstasm)

As far as I am aware, it isn't possible. The JBoss caching mechanism doesn't/can't distinguish between where the authentication request comes from - e.g. a new browser session vs. new page request vs. EJB call. You can try setting the timeout to 1 second, which would effectively force every page request to hit the LoginModule again, or to 0 seconds which would cause every authentication request (including EJB calls) to hit the login module.
Actions
7. Re: JBoss authentication cache problem

kwstasm Apr 26, 2007 11:59 PM (in response to kwstasm)

I see.
I decided to set the DefaultCacheTimeout to 0 and just ignore the credential
check when the user has already logged in.

Thank you for your answers.
Actions

Go to original post